CenterWell Data Breach

A Kentucky-based healthcare company is now at the center of a serious data privacy incident, and patients across more than 30 states may be affected without even knowing it yet. On March 6, 2026, CenterWell — a Louisville-headquartered senior healthcare organization providing primary care, pharmacy services, and home health care — reported a data breach to the Texas Attorney General. 

The filing confirmed that an unauthorized third party may have accessed sensitive personal and health information stored within the company’s systems. As of the date of this article, CenterWell has not begun notifying affected individuals, and the full scope of the breach remains undisclosed. Contact our data breach lawyers to learn more. 

What We Know About the CenterWell Breach

According to the Texas Attorney General’s breach report, an unauthorized party gained access to CenterWell’s systems and potentially obtained sensitive data belonging to patients and individuals in the company’s records. The types of information at risk vary by individual but may include:

• Full legal name and home address
• Date of birth
• Social Security number
• Medical records and treatment history
• Protected health information (PHI)
• Financial account details

CenterWell operates across more than 30 U.S. states and employs over 1,000 people. Given that scale, the number of potentially affected individuals could be significant — though the company has not yet confirmed a final count or begun issuing breach notification letters.

Why the Delayed Notification Matters

Under HIPAA, covered entities are required to notify affected individuals of a breach involving protected health information without unreasonable delay, and no later than 60 days from the date of discovery. State laws impose their own timelines as well.

When a company of CenterWell’s size files a breach report with a state attorney general but withholds direct notification to patients, it raises questions about transparency and regulatory compliance. Affected individuals are left unable to take protective steps during a window when that action matters most.

This isn’t a technicality. Delayed notification has real consequences for real people. And in data breach litigation, it is exactly the kind of conduct courts have found relevant to determining liability.

The Legal Framework: HIPAA, State Privacy Laws, and Your Rights

The CenterWell breach sits at the intersection of several overlapping legal frameworks. HIPAA establishes baseline protections for protected health information and creates an enforcement pathway through the U.S. Department of Health and Human Services. State privacy and data breach notification statutes — including those in Kentucky and Texas — impose independent obligations on companies that handle resident data.

When those obligations are not met, affected individuals may have grounds to pursue civil remedies. Courts have recognized claims for negligence, breach of implied contract, and unjust enrichment in healthcare data breach cases, particularly where plaintiffs can show the company failed to implement reasonable security safeguards or delayed meaningful notification.

If your information was exposed, the fact that no notification has arrived yet does not mean you haven’t been affected.

Why Hire The Lyon Firm for a Data Breach Case?

Healthcare data breaches are not routine legal matters. They require attorneys who understand the intersection of federal privacy law, state consumer protection statutes, and the technical realities of how breaches occur and are investigated.

The Lyon Firm focuses on data privacy and security litigation. Our attorneys have pursued accountability against healthcare companies, insurers, and technology platforms on behalf of individuals whose most sensitive information was left exposed by inadequate security practices.

When you contact The Lyon Firm, we evaluate your situation at no cost and no obligation. We explain your options plainly, tell you honestly whether we think you have a viable claim, and only take cases we intend to fight. If CenterWell failed to protect your data and delayed telling you about it, we want to hear from you.